A server farm is a physical location having a scalable infrastructure and facilities and resources enabling users connected to the Internet network to easily access a number of services provided by a plurality of customers hosted by the server farm. Generally, the resources are located in premises owned by a data processing equipment provider such as the IBM Corporation.
Most server farms are used today to host Internet related devices (for example WEB servers) of several customers. The architecture of such a server farm includes a local network to which are connected the customer cabinets and an Internet front-end connecting this local network to the Internet. Such a local network includes different layers of components such as switches and firewalls through which requests from the users connected to the Internet are routed towards the customer cabinets.
The firewalls are intermediary devices between the local Network and the front-end. They are connected by a LAN to an Internet Access Router (IAR) which is directly connected to the Internet. For redundancy, there are two firewalls connected to the IAR, a primary firewall and a secondary firewall. At a given time, all communications are established through the primary firewall. If the primary firewall fails, the secondary firewall becomes the primary firewall and all the communications pass through it.
The firewalls present all the characteristics of a router with the addition of security filtering features known as firewall rules. A firewall may also have the capability to inspect IP packets and track the state of sessions through the firewall established between two devices separated by the firewall. This capability, which is known as “Statefull Inspection”, includes checking that every backward connection is associated with an existing forward connection and following the state of a connection to allow only packets that are in the right sequence level of the connection to proceed. This means that, if a connection is established from an end user to a WEB server (forward path) through a first firewall, all the responses coming from the WEB server to the end user (reverse path) will have to go through this firewall. If any firewall receives a reverse path frame without having received a forward path frame, it will drop the reverse frame. If any firewall receives a data packet while the session is only at the connecting state, it will drop the data packet.
In the local network, a protocol such as the Virtual Route Routing Protocol (VRRP) is used between the firewalls. VRRP allows the customer WEB servers to see the redundant firewalls as a single virtual firewall. At any instant, only one firewall really owns the virtual firewall function based on the availabilities of the firewall interfaces or on static priorities associated with them by configuration. The individual interface having the highest priority is the one elected to own the virtual firewall interface and the associated firewall acts as the virtual firewall until it fails or until another interface with a higher priority appears. A first firewall (called the primary firewall) can own the virtual firewall function for a subset of the customer servers while the other firewall (called the secondary firewall) can own this role for another set of customers. In other words, the first firewall or primary firewall owns the primary interface of the VRRP group of interfaces to each one of these customer servers.
At least two firewalls connect the local network to the Internet network. As a result, there is a routing problem, since the customer WEB servers attached thereto may be reached by at least two different paths going through each firewall. Because of the Statefull Inspection mode in the firewalls, the forward path must be identical to the reverse path, resulting in what is known as symmetrical routing.
One requirement is to allow different customer WEB servers (in different cabinets) to communicate between themselves. This means that all customer servers must have the same primary firewall by configuration in order to provide the symmetrical routing. In case of firewall failover, all the customer servers must be switched over the secondary firewall. Also by configuration, the firewalls are setup so that a first firewall, which is the primary firewall for all the customer servers, is chosen by default as the firewall to be used by the IAR when both firewalls are operational.
But there is a problem when a link between the first firewall which is the primary firewall being used and the customer WEB servers fails. In such a case, all the frames from the customer servers go through a second firewall. However, the IAR will keep selecting the first firewall as the path to route the frames from the Internet to the customer servers. Therefore, symmetric routing is not preserved, as the forward path for the customer servers is through a firewall whereas the reverse path is through the other firewall. This results in dropping all reverse path frames by the latter firewall.